On 05/08/2019 09:18, Pete Biggs wrote:>> I've found the default 10min bans hardly bother some attackers. >> So I've added the "recidive" feature of fail2ban. After the >> second 10min ban, the attacker is blocked for 1 week. >> > Oh definitely. My systems are set to "3 bans and you're out" - a > recidive ban is permanent after three other bans. I have large parts > of some subnets in my ban list as attackers just move from one host to > another as they get banned. > > P. >I worked for a company some time back that had an association with a South African company who wanted to host some infrastructure in our data centre, the network admin there wanted a specific configuration for outbound source NAT from a certain host that would scroll through a list of source NAT IP addresses (think a whole /24) for every connection attempt, pretty sure it was for sending unsolicited emails, in any case the association with that company didn't last and I took redundancy after less than a year there.
On Mon, Aug 05, 2019 at 09:31:56AM +0100, Giles Coochey wrote:> > On 05/08/2019 09:18, Pete Biggs wrote: > > > I've found the default 10min bans hardly bother some attackers. > > > So I've added the "recidive" feature of fail2ban. After the > > > second 10min ban, the attacker is blocked for 1 week. > > > > > Oh definitely. My systems are set to "3 bans and you're out" - a > > recidive ban is permanent after three other bans. I have large parts > > of some subnets in my ban list as attackers just move from one host to > > another as they get banned. > > > > P. > > > I worked for a company some time back that had an association with a South > African company who wanted to host some infrastructure in our data centre, > the network admin there wanted a specific configuration for outbound source > NAT from a certain host that would scroll through a list of source NAT IP > addresses (think a whole /24) for every connection attempt, pretty sure it > was for sending unsolicited emails, in any case the association with that > company didn't last and I took redundancy after less than a year there.Now that would be a single firewall rule and a kernel ipset. jl -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
On 06/08/2019 00:12, Jon LaBadie wrote:> On Mon, Aug 05, 2019 at 09:31:56AM +0100, Giles Coochey wrote: >> On 05/08/2019 09:18, Pete Biggs wrote: >>>> I've found the default 10min bans hardly bother some attackers. >>>> So I've added the "recidive" feature of fail2ban. After the >>>> second 10min ban, the attacker is blocked for 1 week. >>>> >>> Oh definitely. My systems are set to "3 bans and you're out" - a >>> recidive ban is permanent after three other bans. I have large parts >>> of some subnets in my ban list as attackers just move from one host to >>> another as they get banned. >>> >>> P. >>> >> I worked for a company some time back that had an association with a South >> African company who wanted to host some infrastructure in our data centre, >> the network admin there wanted a specific configuration for outbound source >> NAT from a certain host that would scroll through a list of source NAT IP >> addresses (think a whole /24) for every connection attempt, pretty sure it >> was for sending unsolicited emails, in any case the association with that >> company didn't last and I took redundancy after less than a year there. > Now that would be a single firewall rule and a kernel ipset. >Well, yes - I had a conversation with the guy, and he always had an answer, "oh if that happens I can do this", he said that with real pride - a real slippery lizard in my opinion and at the back of my head was, "maybe the people you're sending emails to just don't want to receive them! And that's why you're jumping through these countless hoops, if you actually had proper opt-in, with a working opt-out per default you might not need this awful hack", there are companies out there specifically selling IP addresses with good reputations to companies who ruin that IP range's reputation, once they reputation has been ruined I guess they get discarded, sold on to another company who only then finds out that they can't run a mail server on that range because its been added to every blocklist on the planet.